Commit http push stuff

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/distgit/files/gitolite-suexec-wrapper.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Suexec wrapper for gitolite-shell
+#
+
+export GIT_PROJECT_ROOT="/srv/git/repositories"
+export PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg
+export HOME=/srv/git
+export GITOLITE_HTTP_HOME=/srv/git
+
+# Hacky workaround because we set ScriptAlias more specific
+export PATH_INFO="$SCRIPT_URL"
+
+if [ -z "$REMOTE_USER" ];
+then
+    # Fall back to default user
+    export REMOTE_USER="anonymous"
+fi
+
+exec /usr/share/gitolite3/gitolite-shell

roles/distgit/files/httppush.conf

@@ -0,0 +1,32 @@
+SetEnv GIT_PROJECT_ROOT /srv/git/repositories
+
+AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$          /srv/git/repositories/$1
+AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1
+
+<Location />
+  AuthType oauth20
+  Require all granted
+</Location>
+<LocationMatch ".*/git-receive-pack">
+  AuthType oauth20
+  Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)'
+</LocationMatch>
+
+<LocationMatch "/info/refs">
+  <If "%{QUERY_STRING} =~ /service=git-upload-pack/">
+    Require all granted
+  </If>
+  <Else>
+    AuthType oauth20
+    Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)'
+  </Else>
+</LocationMatch>
+
+SuexecUserGroup pagure packager
+
+ScriptAliasMatch \
+  "(?x)^/(.*/(HEAD | \
+  info/refs | \
+  objects/info/[^/]+ | \
+  git-(upload|receive)-pack))$" \
+  /var/www/bin/gitolite-suexec-wrapper.sh/

roles/distgit/pagure/templates/z_pagure.conf

@@ -19,7 +19,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
 
   Alias /static /usr/lib/python2.7/site-packages/pagure/static/
   Alias /grokmirror /srv/git/grokmirror
-
+{% if env != "staging" %}
   SetEnv GIT_PROJECT_ROOT /srv/git/repositories
 
   AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$          /srv/git/repositories/$1
@@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
     objects/info/[^/]+ | \
     git-(upload|receive)-pack))$" \
     /usr/libexec/git-core/git-http-backend/$1
-
+{% endif %}
   <Location />
    WSGIProcessGroup pagureproc
    <IfModule mod_authz_core.c>

roles/distgit/tasks/main.yml

@@ -31,6 +31,30 @@
   - distgit
   when: env == "staging"
 
+- name: install the http push configuration
+  copy: src=htpppush.conf dest=/etc/httpd/conf.d/htppush.conf
+  notify:
+  - reload httpd
+  tags:
+  - distgit
+  when: env == "staging"
+
+- name: Create suexec wrapper directory
+  file: path=/var/www/bin state=directory owner=pagure group=packager
+  tags:
+  - distgit
+  when: env == "staging"
+
+- name: Install suexec wrapper
+  copy:
+    src=gitolite-suexec-wrapper.sh
+    dest=/var/www/bin/gitolite-suexec-wrapper.sh
+    owner=pagure
+    group=packager
+  tags:
+  - distgit
+  when: env == "staging"
+
 - name: Put in git service config
   copy: src=git@.service dest=/etc/systemd/system/git@.service
   tags:

roles/distgit/templates/auth_openidc.conf

@@ -9,4 +9,4 @@ OIDCOAuthIntrospectionEndpointAuth client_secret_basic
 OIDCOAuthIntrospectionEndpointMethod POST
 OIDCOAuthTokenIntrospectionInterval 60
 OIDCOAuthSSLValidateServer On
-OIDCOAuthAcceptTokenAs basic
+OIDCOAuthAcceptTokenAs header